VSEC Blog: IT Security Channel News brought to you by Infinigate UK

GDPR & Personal Data in the Public Domain

Posted: 30 May 2018

The 25th May 2018 has arrived and you as a data subject have been empowered with Europe's most ambitious and forward-thinking data protection regulation to date, the GDPR. As the ultimate steward of your personal data, you now have control over its use in most scenarios making data privacy a fundamental right. But what about instances where your personal data is available publicly? Is personal data fair game, once it is in the public domain?

What is the Public Domain?

The term public domain is generally thought to be anything which can be found on the internet or in media, which has no specific cost to access. Take for example a telephone number in a telephone directory, an email address on a LinkedIn profile or a name published in a newspaper article.

Colloquially this is not incorrect, however the term originates from intellectual property such as designs, music and other media. Where any of these found in the public domain are no longer considered to be owned and therefore free to use. A good example of this is the music compositions of Mozart, which is now in the public domain and free to use due to its age.

Confusion comes in applying this to personal data, where there is sometimes an assumption that personal data in the public domain also inherits this free-to-use characteristic. This of course is incorrect.

The GDPR and the Public Domain

Personal data in the public domain is not a fair game, in fact there is nothing contained within the articles of the GDPR which references the public domain as a factor. It simply requires all processing of personal data to be lawful, which can be achieved by demonstrating one of six lawful purposes:

The processing of personal data is for legitimate interests pursued by the data controller.

Scraping websites such as LinkedIn for contact information or using a public directory of contacts is not necessarily illegal, it just requires that you as the data controller meet one of the legal purposes for processing.

Processing is a Means to an End

To use an old cliche... at the end of the day, collecting personal data from a public location is likely to be for a purpose. Most likely in the case of collecting contact information, it will be for marketing purposes. Data controllers might be able to justify collecting said personal information but can they actually use it?

Enter the PECR, a regulation which since 2003 has governed electronic communications. A regulation which is arguably being made more famous as a consequence of the GDPR than it has ever achieved on its own. With a less generalised focus than the GDPR, the PECR restricts electronic communication to a number of scenarios such as:

The data subject is not on a telephone preference or email opt-out list, depending on your method of communication.

You have explicit permission to communicate with a data subject.

You have an existing business relationship with the data subject, this could be an engagement of your services or a negotiation previously. This is known as the soft opt-in and only applies to certain types of data subjects.

All Personal Data is Equal

Fundamentally, the term public domain has no relevance in data protection regulations. All personal data is equal in the sense that it can only legally be processed if processing meets one of six purposes.

This doesn't stop you from using personal data which you have gathered from public sources, but you may come unstuck when it comes to the true purpose of collecting that personal data, to use it and communicate. Without the ability to use it, publicly collected personal data is no more useful than any other type.

Subscribe to VSEC Blog Updates

Terms and Conditions:

When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:

We will use your details to send you blog updates.

We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.

We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.

In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.

Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.